New, more dangerous Oracle attack found

UK researcher bypasses system priviliges

By Computerworld US staff

February 28, 2007

Share

Twitter

Facebook

LinkedIn

In a paper he plans to discuss today at the Black Hat 2007 ‘future of security’ conference, noted database security researcher David Litchfield is expected to outline a new attack method against Oracle databases that increases the danger to unpatched systems.

Litchfield, the managing director of UK-based Next Generation Security (NGS) Software, has found a way to exploit Oracle vulnerabilities without requiring system privileges. The new tactic, which he spelled out in his paper, "Cursor Injection: A New Method for Exploiting PL/SQL Injection and Potential Defences", increases the threat risk of many Oracle-disclosed bugs.

"On occasion, Oracle in their alerts state that the ability to create a procedure or a function is required for an attacker to be able to exploit a flaw," Litchfield said in the paper. "This is not the case. All SQL injection flaws can be fully exploited without any system privilege other than ‘create session’ and, accordingly, the risk should never be 'marked down' [in an alert]," he said.

The new technique doesn't rely on a vulnerability and applies to all versions of Oracle. More importantly, said Symantec in an alert this week, the method puts to rest one of the rationalisations that Oracle has used to downgrade some bug threats.

"In the past, Oracle advisories have contended that a vulnerability was not exploitable if the attacker couldn't create a procedure or function," said Symantec in its warning to customers of its DeepSight threat system. "But this settles the debate, showing that exploration is possible even when this privilege limitation is encountered."

"Fixes for the SQL injection vulnerabilities discussed in the paper were included in Oracle's October 2006 Critical Patch Update [CPU]," the spokesperson added. "To help prevent an attack based on the methods described in the paper, Oracle strongly encourages customers to apply the latest CPU." Deploying the patches in the most recent Oracle CPU, however, does not block the new attack scheme, only specific, known vulnerabilities.

It didn't take long for existing Oracle exploits to be revamped with Litchfield's cursor injection technique. According to Symantec, at least four exploits that target Oracle products were updated yesterday to leverage the new exploitation method.